Syrian Electronic Army no longer just Twitter feed jackers... and that's bad news

The Syrian Electronic Army is starting to pose a serious risk to enemies of the Assad regime in both Syria and further afield, according to security watchers.

Reports that the SEA managed to take over three personal email accounts of White House employees remain unconfirmed. However, recent worrying attacks on VoIP apps Viber and Tango mean that officials and security researchers need to keep a closer eye on the group, argues anti-malware tools firm FireEye.

The security company warns that in graduating from compromising the Twitter feeds of various media outlets – albeit with costly consequences – to attacking VoIP apps, the group has emerged as a much more serious threat.

"Successful attacks on international communications sites such as TrueCaller, Tango, and Viber could give Syrian intelligence access to the communications of millions of people," FireEye's Ayed Alqartah, systems engineer - Middle East and Africa warns: "Such attacks can also put human beings in real danger through espionage, intimidation, and/or arrest."

Who are the Syrian Electronic Army?

The SEA is a prolific hacker crew loyal to Syrian President Bashar al-Assad that sprung into life in mid-2011. Its antics since have included DDoS attacks, phishing against social media profiles and pro-Assad defacements. The group has targeted governments, online services and media that are perceived to be hostile to the Syrian government.

Its defacements and Twitter account hijackings are often carried out to push propaganda messages ranging from shock videos of alleged jihadist atrocities to (more recently) satirical cartoons.

The SEA has successfully targeted Twitter accounts and other social media profiles run by Al-Jazeera, the Associated Press, BBC, Daily Telegraph, Financial Times, The Guardian, Human Rights Watch, America's National Public Radio, and more.

The group's infamous hijack of AP's eponymous Twitter account, spreading a false rumour that the White House had been bombed and President Obama injured, briefly wiped billions of dollars off the stock market.

Over the last two weeks alone, the SEA has recently compromised three widely used online communications websites, each of which could have serious real-world consequences for Syria’s political opposition.

The SEA hacked the Swedish site Truecaller, home to the world's largest online telephone directory with over a billion phone numbers in over 100 countries, on 16 July. FireEye said the attack was pulled off using a vulnerable version of WordPress. After the attack, hacktivists boasted they had snatched access codes to more than a million Facebook, Twitter, LinkedIn and Gmail accounts.

Less than a week later, the SEA followed up with a successful hack against video and text messaging service Tango on 21 July, stealing more than 1.5 TB of user information, names, phone numbers, emails, and personal contacts for millions of accounts. Once again, a vulnerable version of Wordpress (version 3.2.1), allowed hackers affiliated with the SEA to lift confidential information from a database server.

The trifecta of serious hacks was completed on 24 July when the SEA hacked Viber, a free online calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged but played down the significance of the attack, which it said had been pulled off using a phishing scam that gave the SEA access to Viber's customer support site. The VoIP provider has denied any private user information was compromised.

FireEye's Ayed Alqartah argues that although the scope and number of assaults distinguishes the SEA from other patriotic hacking groups, it shares some similarities.

"The SEA, just like other 'patriotic hackers' around the world, is proving that a small group of expert hackers can be a force on the international stage," Alqartah writes. "SEA pays no attention to traditional international borders, attacking both Syrians and non-Syrians, inside Syria and in many other countries."

The SEA's make up or exact relationship to the Syrian government is unclear, however the domain name for the SEA's website was registered by the Syrian Computer Society, which was previously led by President Bashar Assad. The group has targeted domestic dissidents and as well as foreign enemies of the Assad regime.

The hacktivists often send socially-engineered spear-phishing emails to lure opposition activists into opening fraudulent, malware-laden documents, says FireEye. Targeted Facebook users have also been tricked into giving up their login information.

The security researchers say the group has also been linked to the use of Trojans such as Blackshades, DarkComet, Fynloski, Rbot, Xtreme RAT, and Zapchast, which have all been deployed against dissidents in Syria to steal documents and passwords, install keylogging software onto computers and otherwise spy on targets.

Alqartah speculates that the depth and diversity of the hacking crew's activities make it likely that it has the support of many civilian volunteers.

"The SEA’s ability to operate within the same online spaces that are typically dominated by young, tech-savvy internet users has been key to its success," he said. "And to some degree, as in other 'patriotic hacker' conflicts, the ambiguous nature of their relationship gives the Syrian government some protection from the legal and political consequences of SEA’s attacks."

A blog post on the SEA by Alqartah and Kenneth Geers, a senior global threat analyst at FireEye, can be found here. ®